OTPulse

Beckhoff Embedded PC Images and TwinCAT Components Vulnerabilities

Plan PatchCVSS 9.1ICS-CERT ICSA-16-278-02Jul 8, 2016
Beckhoff
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Beckhoff Embedded PC Images (manufactured before October 22, 2014) and TwinCAT Components featuring Automation Device Specification (ADS) communication lack authentication and encryption mechanisms. The ADS protocol transmits automation commands in plaintext without authentication, allowing an attacker with network access to intercept, read, and modify control messages. This affects all versions of TwinCAT using ADS protocol. An attacker could alter process variables, modify PLC logic, disable safety interlocks, or cause operational anomalies. No vendor fix is available; systems remain vulnerable with current versions.

What this means
What could happen
An attacker with network access to Beckhoff Embedded PCs or systems running TwinCAT could intercept and modify unencrypted automation commands, potentially altering PLC logic, process setpoints, or sensor readings without detection.
Who's at risk
Facilities running Beckhoff Embedded PC industrial computers (manufactured before October 22, 2014) and any automation systems using TwinCAT with ADS protocol communication should be considered affected. This includes water treatment plants, electrical substations, manufacturing facilities, and HVAC systems that rely on Beckhoff controllers for process automation and safety functions.
How it could be exploited
An attacker on the network intercepts ADS (Automation Device Specification) protocol traffic between engineering workstations and Beckhoff controllers. Since ADS communication lacks authentication and encryption, the attacker can inject malicious commands to modify process variables, disable safety functions, or alter equipment behavior. The attack vector is network-based with no credentials or special configuration required beyond network access to the target devices.
Prerequisites
  • Network access to port 48898 (default ADS port) or other ADS communication channels
  • Ability to perform man-in-the-middle (MitM) attack or network sniffing
  • No authentication or encryption on ADS protocol
  • TwinCAT components or Beckhoff Embedded PC running vulnerable firmware
remotely exploitableno authentication requiredlow complexityno patch availableaffects safety systemsunencrypted protocoldefault/no credentials needed
Exploitability
Some exploitation risk — EPSS score 5.9%
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
Beckhoff Embedded PC Images: <October-22-2014<October-22-2014No fix (EOL)
Beckhoff Embedded PC Images: <created_October-22-2014<created October-22-2014No fix (EOL)
TwinCAT Components featuring Automation Device Specification (ADS) communication: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3
TwinCAT Components featuring Automation Device Specification (ADS) communication: vers:all/*
HARDENINGImplement network access controls (firewall rules, ACLs) to restrict ADS communication to authorized engineering workstations only
All products
HARDENINGIsolate Beckhoff Embedded PCs and TwinCAT systems to a protected OT network segment not directly reachable from corporate networks or the internet
WORKAROUNDDisable remote engineering access to TwinCAT systems if not required for operations
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

TwinCAT Components featuring Automation Device Specification (ADS) communication: vers:all/*
HARDENINGMonitor ADS traffic for unauthorized commands using network IDS/IPS or industrial protocol analyzers
All products
HOTFIXContact Beckhoff technical support to determine if any firmware updates or patches are available for your specific Embedded PC models
View full CISA ICS-CERT advisory
API: /api/v1/advisories/6032671d-6c59-47b6-8002-c1604c525ee1

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.